|
Thursday, 14 January 2010 12:07 |
|
Financial Services companies are extraordinarily sensitive to risks that arise from the rapid evolutionary changes in IT. It is paramount for CIOs and CSO's of financial companies to establish and maintain a Sound 27K ISMS Compliant Control Environment in the face of the migration of legacy services to cloud computing.The presentation of MARIANO ARNAIZ from CESCE is about a management approach for achieving a Sound 27K ISMS Compliant Control Environment while emigrating towards the various modalities of outsourced or cloud computing.As CIO’s are faced with the compelling argument of getting far more IT computing resources for much less, many security concerns arise due to the fact that organizational assets are in the custody of a very immature environment that can’t provide the level of risk mitigating control that financial organizations need. The CIO / CSO need an approach for obtaining assurance that the controls needed are indeed readily available and effective.The ISO 27001 establishes three forms of risk treatment; acceptance, mitigation through controls in a single domain, or the transfer of the risk responsibility through administrative and legal prescription (e.g. Service Level Agreement).The line between treatment through mitigation or transfer is determined by establishing if the cloud can in deed provide a sound control environment. This can perhaps be described as the virtualization of the ISMS controls. The problem addressed is determining how and where cloud security administration can provide adequate controls for the data asset owner. The owner’s accountability, especially with regards to compliance requirements, is about when the transfer of responsibility provides an adequate level of assurance.The presentation will be held within the ENISA-ANACOM Workshop on Risk and Innovation taking place on January 22, 2010 in Lisbon (Portugal).
|
